VMware

Streamline Your Child Domain Metadata Management with Microsoft Community Hub

Troubleshooting an Orphaned Child Domain in a Forest with Multiple Deleted DCs

As a Windows server administrator, you may encounter situations where an orphaned child domain is created within a forest, causing issues with domain naming and replication. In this blog post, we will discuss a specific scenario where there are two deleted DCs in the Child2 domain, and how to troubleshoot and resolve the issue using ntdsutil and other tools.

Background Information

———————-

A forest is a collection of one or more domains that share a common directory database. Within a forest, there can be multiple child domains, each with its own domain naming master (DNM) and one or more domain controllers (DCs). When a DC is deleted without demoting it, the child domain becomes orphaned, and the DNM of the child domain cannot be contacted.

In our scenario, we have a forest with an orphaned Child2 domain that contains two deleted DCs. The Child2 domain has no active DCs, and we are trying to remove it using ntdsutil. However, the removal fails due to the presence of the two deleted DCs.

Symptoms and Steps Taken

—————————

The symptoms of this issue include:

* The Child2 domain is orphaned and has no active DCs.

* There are two deleted DCs in the Child2 domain.

* Removing the Child2 domain using ntdsutil fails with an error message indicating that there are still DCs present in the domain.

Steps taken to troubleshoot the issue include:

1. Forcefully removing the 2nd DC of the Child2 domain, which was successful.

2. Forcefully removing the 1st DC of the Child2 domain, but this failed with an error message indicating that there are still DCs present in the domain.

Error Message and Causes

————————–

The error message encountered when trying to remove the Child2 domain using ntdsutil is:

“The following domains have active directory controllers: .”

This error message indicates that there are still DCs present in the Child2 domain, which is preventing the removal of the domain. The cause of this issue is that there are two deleted DCs in the Child2 domain, and ntdsutil cannot remove the domain as long as these DCs are present.

Resolution and Workaround

————————–

To resolve this issue, we can use the following steps:

1. Remove the 1st DC of the Child2 domain using ntdsutil. This will leave only one deleted DC in the domain, which should not prevent the removal of the domain.

2. Remove the remaining deleted DC from the Child2 domain using ntdsutil.

3. Once both deleted DCs have been removed, try again to remove the Child2 domain using ntdsutil. This should now be successful.

Alternatively, we can use the following workarounds:

1. Demote one of the deleted DCs to a normal server, and then remove the Child2 domain using ntdsutil.

2. Use the Windows Task Scheduler to schedule a script that will remove the Child2 domain after a certain time period (e.g., 24 hours). This can be done by creating a new task with the following steps:

a. Start a PowerShell script that contains the following command: “Remove-ADDomain -Name -Force”.

b. Set the task to run at a specific time each day (e.g., 12:00 AM).

c. Set the task to run for a specified number of days (e.g., 7 days).

d. Save the task and close the Task Scheduler.

This will remove the Child2 domain after the specified time period, regardless of whether there are still DCs present in the domain.

Conclusion

———-

In this blog post, we have discussed a specific scenario where there are two deleted DCs in an orphaned Child2 domain, and how to troubleshoot and resolve the issue using ntdsutil and other tools. By understanding the symptoms and causes of this issue, as well as the resolution and workarounds, you can effectively troubleshoot and resolve similar issues in your own Windows server environment.